On privacy laws, every state is one of confusion

It's getting increasingly difficult for US firms to comply with regulations . David A. Meunier feels that it's time to develop safeguards and processes for this ever-changing regulatory environment.

Complying with a plethora of US state privacy laws is tough. Focus on their common elements.

All the time, it seems, another state is coming up with a new law for protecting consumers' sensitive data. At least 23 have passed a security breach notification law, and these laws are far from uniform. The result is a bevy of regulations du jour and a daunting challenge for information security and compliance professionals.

More than a few times I have been well on my way to meeting the privacy requirements for one state, only to find out another state has passed similar rules, but with additional mandates. Security breach laws vary as to who should be notified, what constitutes personal information, and most importantly, when notification should occur. Do we notify each time data has been accessed without authorization, or only when we believe the data is at risk?

In the midst of all this, there is the development of federal regulation to preempt all the individual state regulations, with at least four bills under consideration. This is a great next step to eliminate the confusion, but will a national law have teeth or fall short? When will it be passed into law and when will businesses have to comply?

What we end up with is a regulatory environment that's in a constant state of flux, where on any given day you are abiding in one state and non-compliant in another. As a security professional, I am not big fan of variation. It can increase the potential for security threats, plus cause confusion and frustration in IT departments and with customers. Yet doing nothing and waiting for a national standard is a risky and costly proposition for most IT departments. So how do we move forward with developing safeguards and processes in this ever-changing regulatory environment?

A good start might be to look at the similarities in the myriad regulations. All have two general requirements in common: communicate with customers and secure their information. The communication should be proactive and reactive--telling clients what you are doing with their information, and notifying them when a breach occurs. Securing information focuses on access control and protection of data at rest and in transit. Sounds simple, but as many of us can attest, it is a very challenging task.

One approach for meeting these requirements is to conduct a risk assessment and develop a control framework and notification process. Start with a risk assessment to determine where your risks are and to what degree. Many tools are available from ISACA and other security organizations. Next, develop a control framework to build and implement mitigation solutions that are measurable and auditable. The most common frameworks are COBIT and ISO 17799, which can be used in conjunction with each other.

Lastly, develop your process for breach notification. This is one of the most difficult tasks because each state requires notification to be handled differently. Using the "prudent man" theory might help here. In essence, implement compliance safeguards and processes based on the strictest regulations.

By focusing on meeting the regulations concerning communication and securing personal information, we can concentrate on building the trust and confidence of our customers, rather than continuously navigating through the various regulations.

There is no perfect solution. But as Patton's Law states, "A good plan today is better than a perfect plan tomorrow."

David A. Meunier, CISSP, is vice president and CISO of CUNA Mutual Group.

Read more on IT risk management